B1-1

Question 1

The Sarbanes-Oxley Act of 2002 requires that the officers of a corporation be held accountable to a code of ethics. According to the Act, codifications of ethical standards should include provisions for all of the following, except:

a.

Prompt internal reporting of code provisions and accountability for adherence to the code.

b.

Compliance with laws, rules and regulations.

c.

Full, fair, accurate, and timely disclosure in periodic financial statements.

d.

Honest and ethical conduct.

Answer 1

Choice “a” is correct. Although the SEC proposed standards for codes of ethics to include both internal reporting of code provisions and accountability for adherence to the code, the Sarbanes-Oxley Act itself does not have this requirement.

Choice “d” is incorrect. The Act specifically requires that the code of ethics include provisions for honest and ethical conduct.

Choice “c” is incorrect. The Act specifically requires that the code of ethics include provisions for full, fair, accurate, and timely disclosure in periodic financial statements.

Choice “b” is incorrect. The Act specifically requires that the code of ethics include provisions for compliance with laws, rules, and regulations.

Question 2

The Enterprise Risk Management-Integrated Framework of the committee of sponsoring organizations (COSO) is best defined as a:

a.

Process that replaces the COSO internal control framework.

b.

Process that takes a control-based approach to an organization.

c.

Process effected by an entity’s board of directors, management, and other personnel.

d.

Serial process in which one component affects only the next component.

Answer 2

Choice “c” is correct. It is actually stated in the definition provided by COSO for enterprise risk management (ERM) that it is “a process, effected by an entity’s board of directors, management, and other personnel.”

Choice “d” is incorrect. ERM is comprehensive, in that one component affects many other components of an organization.

Choice “b” is incorrect. ERM takes a risk-based approach to an organization.

Choice “a” is incorrect. The COSO internal control framework assists organizations in developing assessments for internal control effectiveness. This is separate from enterprise risk management, which is used for developing a response to risk management.

Question 3

Knox, president of Quick Corp., contracted with Tine Office Supplies, Inc. to supply Quick’s stationery on customary terms and at a cost less than that charged by any other supplier. Knox later informed Quick’s board of directors that Knox was a majority stockholder in Tine. Quick’s contract with Tine is:

a.

Void because the disclosure was made after execution of the contract.

b.

Valid because the contract is fair to Quick.

c.

Void because of Knox’s self-dealing.

d.

Valid because of Knox’s full disclosure.

Answer 3

Choice “b” is correct. If a corporation enters into a contract and a director has a conflict of interest in the transaction, the contract is voidable unless the director makes full disclosure of all of the facts to the disinterested directors or the shareholders, who then approve the transaction, or the director can prove that the transaction was fair to the corporation. The stationery purchase was fair to Quick, since it was purchased at a below-market price. Thus, the contract is valid.

Choice “c” is incorrect. A director’s self-dealing does not automatically make a contract void. The contract can be upheld if it was fair.

Choice “a” is incorrect. A director’s self-dealing does not automatically make a contract void. The contract can be upheld if it was fair.

Choice “d” is incorrect. If a corporation enters into a contract and a director has a conflict of interest in the transaction, the contract is voidable unless the director makes full disclosure of all of the facts to the disinterested directors or shareholders, who then approve the transaction, or the director can prove that the transaction was fair. Mere disclosure after the contract was adopted does not automatically render the contract valid.

Question 4

The external auditors for the Horace Company assess the achievement of internal control objectives each year and communicate the assessment to management and the Board. Communication by the external auditor illustrates which principle of the information and communication component of the Committee on Sponsoring Organization’s Integrated Framework?

a.

Internal Control Information.

b.

Financial Reporting Information.

c.

Internal Communication.

d.

External Communication.

Answer 4

Choice “d” is correct. The principle of external communications asserts that matters affecting the achievement of financial reporting should be communicated with outside parties.

Choice “b” is incorrect. The principle of financial reporting information principles conveys the idea that information should be identified, captured, used at all levels of the company, and distributed in a manner that supports achievement of financial reporting objectives.

Choice “a” is incorrect. Internal control information is needed to facilitate the function of control components and is identified, captured, used, and distributed in a timely manner that enables personnel to fulfill their responsibilities.

Choice “c” is incorrect. The principle of internal communications asserts that communications should enable and support understanding and execution of internal control objectives, processes and individual responsibilities.

Question 5

Establishing objectives that will support the mission and vision of an organization generally involve supporting the mission with:

a.

Related objectives.

b.

Strategic objectives, supported by strategies and related objectives.

c.

Strategy supported by strategic and related objectives.

d.

Strategy.

Answer 5

Choice “b” is correct. Strategic objectives support the mission and are implemented via various strategies and related objectives.

Choice “c” is incorrect. Strategic objectives are implemented by strategy and supported by related objectives.

Choice “d” is incorrect. Strategy requires related objectives to be fully implemented.

Choice “a” is incorrect. Related objectives support various strategic plans that support the mission.

Question 6

The Justco Corporation completed its annual retreat of board members and senior management and produced a document that links the organization’s mission and vision with strategic and related objectives. The document includes a commitment to conduct focus groups with customers and suppliers to determine the responsiveness of Justco to the needs of various parties. That commitment would most likely be a:

a.

Related compliance objective.

b.

Strategic objective.

c.

Related operations objective.

d.

Related reporting objective.

Answer 6

Choice “c” is correct. Conducting focus groups would most likely be a related operating objective. Focus groups would identify the needs of various stakeholders and be used to improve operations.

Choice “b” is incorrect. Strategic objectives are generally less operationally specific than the related objective contemplated by conducting focus groups.

Choice “d” is incorrect. Conducting focus groups is a related operations objective, not a reporting objective.

Choice “a” is incorrect. Conducting focus groups is a related operations objective, not a compliance objective.

Question 7

The principle that protects corporate directors from personal liability for acts performed in good faith on behalf of the corporation is known as:

a.

The responsible person doctrine.

b.

The business judgment rule.

c.

The clean hands doctrine.

d.

The full disclosure rule.

Answer 7

Choice “b” is correct. If a director acts in good faith and in a manner the director believes is in the best interest of the corporation, and the director exercises the care that a reasonably prudent person would exercise in a similar position, the director is protected against liability for decisions the director makes that turn out poorly for the corporation. This is commonly known as the business judgment rule.

Choice “c” is incorrect. The clean hands doctrine (better known as the unclean hands doctrine) is a defense in actions brought in cases seeking equitable relief (e.g., an action seeking specific performance of a contract). If a person seeking equitable relief has acted improperly in the transaction before the court, he is said to have unclean hands and the court will not grant equitable relief. The doctrine has nothing to do with releasing directors from liability for acting in good faith and is outside the scope of the CPA Exam topics.

Choices “d” and “a” are incorrect. There are no such rules. Full disclosure may be required in certain situations under corporate law, but such disclosure requirement is not the described doctrine.

Question 8

According to COSO, which of the following is a compliance objective?

a.

To maintain accounting principles that conform to GAAP.

b.

To maintain adequate staffing to keep overtime expense within budget.

c.

To maintain a safe level of carbon dioxide emissions during production.

d.

To maintain material price variances within published guidelines.

Answer 8

Choice “c” is correct. Maintaining safe (mandated by regulation) carbon dioxide emissions during production is a compliance objective. Compliance objectives include adherence to the laws, rules, and regulations associated with operations, including environmental regulations and other laws.

Choice “b” is incorrect. Maintaining adequate staffing to keep overtime expense within budget is likely an operations rather than compliance objective.

Choice “d” is incorrect. Maintaining material price variances within published guidelines is likely an operations objective.

Choice “a” is incorrect. Maintaining accounting principles that conform to GAAP is likely a reporting objective.

Question 9

A company that retains a CPA with the appropriate knowledge, skills and abilities to prepare timely and effective financial reporting is applying the ideas from which principle of effective internal control over financial reporting?

a.

Accountability.

b.

Management philosophy and operating style.

c.

Integrity and ethical values.

d.

Financial reporting competencies.

Answer 9

Choice “d” is correct. The financial reporting competencies principle of the control environment component of internal control integrated framework suggests stronger controls and encourages the company to retain qualified personnel to handle financial reporting.

Choice “c” is incorrect. The integrity and ethical values principle of the control environment component of internal control integrated framework suggests stronger controls with high standards of ethical conduct for top management, but does not address retention of qualified personnel to handle financial reporting.

Choice “b” is incorrect. The management philosophy and operating style principle of the control environment component of internal control integrated framework suggests strong controls and encourages management’s attitudes to be congruent with strong financial controls, but does not address retention of qualified personnel to handle financial reporting.

Choice “a” is incorrect. The accountability principle of the control environment component of internal control integrated framework suggests strong controls and encourages management to hold individuals accountable for their internal control responsibilities, but does not address retention of qualified personnel to handle financial reporting.

Question 10

Which of the following is necessary to be an audit committee financial expert according to the criteria specified in the Sarbanes-Oxley Act of 2002?

a.

Education and experience as a certified financial planner.

b.

Experience with internal accounting controls.

c.

Experience in the preparation of tax returns.

d.

A limited understanding of generally accepted auditing standards.

Answer 10

Choice “b” is correct. The financial expert serving on the audit committee of an issuer must have experience with internal controls. The financial expert qualifies through education or past experience as an auditor or finance officer for an issuer of similar complexity.

Choice “d” is incorrect. The financial expert qualifies through education or past experience as an auditor or finance officer for an issuer of similar complexity. The expert should have an understanding of GAAP, application of GAAP, an understanding of internal controls and an understanding of audit committee functions. There is no requirement to have a limited understanding of GAAS.

Choice “a” is incorrect. The financial expert qualifies through education or past experience as an auditor or finance officer for an issuer of similar complexity. The expert should have an understanding of GAAP, application of GAAP, an understanding of internal controls and an understanding of audit committee functions. There is no requirement to have education and experience as a certified financial planner.

Choice “c” is incorrect. The financial expert qualifies through education or past experience as an auditor or finance officer for an issuer of similar complexity. The expert should have an understanding of GAAP, application of GAAP, an understanding of internal controls and an understanding of audit committee functions. There is no requirement to have experience in tax return preparation.

Question 11

Generally, an organization will not operate beyond the limits of their risk appetite. Risk appetite has generally been exceeded when:

a.

The likelihood and impact of positive events is within the residual risk.

b.

The likelihood and impact of negative events exceed residual risks.

c.

The likelihood and impact of positive events is significantly below residual risk.

d.

The likelihood and impact of negative events significantly exceeds residual risks.

Answer 11

Choice “d” is correct. Generally, an organization’s risk appetite has been exceeded when the combined likelihood and impact of negative events significantly exceed residual risk. Residual risk represents the risk that remains after management has taken actions to mitigate negative events. If the likelihood and impact of those negative events significantly exceeds the residual risk, the operation is likely to exceed the organization’s risk appetite.

Choice “b” is incorrect. An organization’s risk appetite may go beyond the risk that they control. When the likelihood and impact of negative events exceeds residual risk, management will need to carefully evaluate their actions, but they may not have exceeded their risk appetite.

Choice “a” is incorrect. Positive events represent opportunities. If those opportunities are within residual risk, then the opportunity will likely be pursued.

Choice “c” is incorrect. Positive events represent opportunities. If those opportunities are significantly below residual risk, then the opportunity will likely be pursued.

Question 12

According to the Sarbanes-Oxley Act of 2002, which of the following statements is correct regarding an issuer’s audit committee financial expert?

a.

The audit committee financial expert must be the issuer’s audit committee chairperson to enhance internal control.

b.

The issuer must fill the role with an individual who has experience in the issuer’s industry.

c.

If an issuer does not have an audit committee financial expert, the issuer must disclose the reason why the role is not filled.

d.

The issuer’s current outside CPA firm’s audit partner must be the audit committee financial expert.

Answer 12

Choice “c” is correct. Sarbanes-Oxley Section 407 requires that an issuer’s audit committee have at least one financial expert, or disclose why that role is not filled. Section 407 requires that the financial expert have an understanding of GAAP and financial statements, be able to assess the application of accounting principles, have comparable experience applying accounting principles to entities that present a similar level of complexity of the issuer, and understand both internal controls and audit committee functions.

Choice “d” is incorrect. The audit committee is charged with negotiating the engagement of the external auditor and supervising their work. The auditor is accountable to the audit committee. The partner in charge of the audit firm engaged to do the audit should not be the financial expert on the audit committee.

Choice “b” is incorrect. Section 407 requires that the audit committee’s financial expert understand the application of accounting principles to the issues representative of the complexity of the issuer but does not require specific experience in the industry. Section 407 defines four ways in which the necessary attributes of a financial expert can be achieved: education, experience supervising a financial officer, experience overseeing auditors, or other relevant experience.

Choice “a” is incorrect. Section 407 does not require that the audit committee’s chairman be its financial expert.

Question 13

A company that maintains a strong internal audit function that reports directly to the Board of Directors is applying the ideas from which principle of effective internal control over financial reporting?

a.

Organizational structure.

b.

Human resources.

c.

Board of Directors.

d.

Authority and responsibility.

Answer 13

Choice “a” is correct. The organizational structure principle says that reporting relationships should not undermine the commitment to effective financial reporting and internal control. Maintaining reporting independence of the internal auditor is one way to apply this principle.

Choice “c” is incorrect. The Board of Directors’ principle says that the board should be actively involved in overseeing the implementation of both financial reporting and internal controls. The principle relates more to leadership than to reporting relationships.

Choice “d” is incorrect. The authority and responsibility principle says that authority and responsibility should be delegated to individuals within the organizational structure as appropriate to maintain effective internal controls. The authority and responsibility of individuals can be undermined by flaws in the organizational structure.

Choice “b” is incorrect. The human resources principle says that human resources policies and procedures should be fully compatible with effective financial reporting and internal control. Competence, not reporting structures is emphasized by this principle.

Question 14

According to COSO, which of the following is the most effective method to transmit a message of ethical behavior throughout an organization?

a.

Strengthening internal audit’s ability to deter and report improper behavior.

b.

Specifying the competence levels for every job in an organization and translating those levels to requisite knowledge and skills.

c.

Demonstrating appropriate behavior by example.

d.

Removing pressures to meet unrealistic targets, particularly for short-term results.

Answer 14

Choice “c” is correct. According to the COSO, demonstrating appropriate behavior by example is the most effective method to transmit a message of ethical behavior throughout an organization. The commitment to ethical behavior begins with the tone at the top, and is best established by management’s demonstrated commitment to ethical behavior.

Choice “a” is incorrect. Although detection of unethical behavior with improved internal audit resources is important, it is not as effective in transmitting a message of ethical behavior as leadership by example.

Choice “d” is incorrect. Realistic goals are an important component of a corporate culture that encourages ethical behavior; unrealistic goals may provide reasons for unethical behavior. But, according to COSO, they are no substitute for a strong commitment by management and an ethical tone at the top.

Choice “b” is incorrect. A competent work force supports ethical behavior and provides an environment where ethical behavior will thrive. However, a demonstrated commitment to ethical behavior by management is the most effective method for transmitting a message of ethical behavior throughout the organization.

Question 15

The Sarbanes-Oxley Act of 2002 requires that the members of the audit committee be independent with regard to the issuer. Within the meaning of the law, which of the following corporate officers would be considered independent?

~Board Member
~Independent Auditor
a.

No

No

b.

Yes

No

c.

No

Yes

d.

Yes

Yes

Answer 15

Rule: Audit committee members are to be members of the issuer’s Board of Directors but also must be otherwise independent. Independence criteria are as follows:

Audit committee members may not accept compensation from the issuer for consulting or advisory services.

Audit committee members may not be an affiliated person of the issuer (affiliation means a person has the ability to influence financial decisions).

Choice “b” is correct. Board membership does not impair independence for purposes of audit committee membership (in fact, being a board member is a requirement). The independent auditor is hired and paid by the audit committee and thus is not independent, per the rule above.

Choices “d”, “c”, and “a” are incorrect, based on the above explanation.

Question 16

The Hartman Conglomerate completed its annual retreat of board members and senior management and produced a document that links the organization’s mission and vision with strategic and related objectives. The document includes a commitment to develop a uniform chart of accounts for all divisions of the conglomerate. That commitment would most likely be a:

a.

Related compliance objective.

b.

Related operations objective.

c.

Strategic objective.

d.

Related reporting objective.

Answer 16

Choice “d” is correct. Establishment of a company-wide uniform chart of accounts would most likely be a related reporting objective. Uniform charts of accounts would promote more efficient reporting.

Choice “c” is incorrect. Strategic objectives are generally less operationally specific than the related objective contemplated by the uniform chart of accounts.

Choice “b” is incorrect. A uniform chart of accounts is a related reporting objective, not an operations objective.

Choice “a” is incorrect. A uniform chart of accounts is a related reporting objective, not a compliance objective.

Question 17

Kamp Sporting Goods seeks to establish a code of conduct that will communicate the “tone at the top” to all employees. The contents of the code will likely include all of the following, except:

a.

Definitions of common sense approaches to software piracy to ensure that the company is competitive.

b.

Descriptions of the organization’s commitment to compliance and confidentiality.

c.

Prohibitions against conflicts of interest and self dealing.

d.

Prohibitions or limits on gifts and gratuities or establishes required reporting.

Answer 17

Choice “a” is correct. Codes of conduct likely will not condone exceptions to ethical behavior or the law in the name of competition.

Choice “c” is incorrect. Codes of conduct frequently include prohibitions against conflicts of interest.

Choice “d” is incorrect. Codes of conduct often include guidance on gifts and gratuities.

Choice “b” is incorrect. Codes of conduct will generally stipulate that information is privileged and should be kept confidential.

Question 18

The business judgment rule is a rule that immunizes corporate:

a.

Management from liability for actions that result in corporate losses or damages if the actions are undertaken in good faith and are within both the power of the corporation and the authority of management to make.

b.

Management from liability for actions that result in corporate losses or damages if the actions are undertaken in good faith but are not within the power of the corporation or the authority of management to make.

c.

Shareholders from liability for actions that result in corporate losses or damages if the actions are undertaken in good faith and are within both the power of the corporation and the authority of shareholders to make.

d.

Shareholders from liability for actions that result in corporate losses or damages if the actions are undertaken in good faith but are not within the power of the corporation or the authority of shareholders to make.

Answer 18

Choice “a” is correct. Under the business judgment rule, a director is protected from liability for decisions made on behalf of the corporation if the director acts in good faith and in a manner that the director believes is in the best interest of the corporation, exercising the care that a reasonably prudent person would exercise in a similar position. The action must also ostensibly be within the power of the corporation to undertake and ostensibly within the authority of management to make.

Choice “b” is incorrect. A director will not be protected under the business judgment rule if he knowingly causes the corporation to undertake action that is not within the power of the corporation to take and not within the authority of management.

Choices “c” and “d” are incorrect. The business judgment rule protects directors; it is not applicable to the shareholders (except perhaps in the case of a closely-held corporation being run by the shareholders).

Question 19

Able Corporation owns numerous businesses along the coast of Florida. The company’s management has identified business interruption events as a potential risk resulting from storm damages caused by hurricanes. The company elects to not only insure its properties but to “buy down” standard deductibles with additional premium. Able’s response to potential risks is known as:

a.

Reduction.

b.

Acceptance.

c.

Sharing.

d.

Avoidance.

Answer 19

Choice “c” is correct. Insuring against losses or entering into joint ventures to address risk is known as risk sharing.

Choice “d” is incorrect. A response to risk that involves the disposal of a business unit, product line or geographical segment is called risk avoidance. Obtaining appropriate insurance is not avoidance.

Choice “a” is incorrect. A response to risk that involves the diversification of product offerings rather than elimination of product offerings is called reduction. Obtaining appropriate insurance is not reduction, it is sharing (the risk has not changed; it has been shifted to another party).

Choice “b” is incorrect. Self insuring or simply tolerating the full exposure to risk is known as acceptance. Obtaining appropriate insurance is not acceptance of risk.

Question 20

The Gotham Corporation regularly produces budget vs. actual data for its managers. The company is particularly sensitive to personnel costs, and division variances of greater than five percent for any period are promptly investigated to determine if budgeted postions have not been filled or if there has been extraordinary overtime. Timely exception resolution of this character illustrates the information and communication principles typically associated with:

a.

Obtain and Use Information.

b.

Internal Communication.

c.

External Communication.

d.

Financial Reporting Information.

Answer 20

Choice “a” is correct.The principle of obtain and use information is applied when the organization obtains or generates and uses relevant, high-quality information to support the functioning of the control. In this case, management is using the exception report (information) to support the control of monitoring overtime costs.

Choice “d” is incorrect. Financial reporting information is not a principle of COSO.

Choice “b” is incorrect. Internal communications anticipate that communications enable and support understanding and execution of internal control objectives, processes, and individual responsibilities. Variance analysis specifically supports internal control, not simply internal communications generally.

Choice “c” is incorrect. External communications anticipate that matters affecting the achievement of financial reporting are communicated with outside parties.

Question 21

All of the following management activities of the Falco Insurance Group, Inc. are evidence of the ongoing monitoring of internal controls built into the company’s system, except:

a.

The CEO and CFO are required to formally verify that all major disbursements such as for claims and reinsurance premiums fully comply with the planned program of insurance.

b.

The CEO and CFO review monthly disaggregated gross margin and operating margin data by line of coverage.

c.

The CFO reviews changes in liability reserves in excess of a specified threshold.

d.

The CFO updates the audit committee on status of internal control.

Answer 21

Choice “d” is correct. Regular reporting to the audit committee represents reporting of deficiencies, not ongoing monitoring.

Choice “a” is incorrect. Ongoing monitoring of internal controls include such functions as verification that major disbursements meet the criteria for planned risk retention as part of a program of insurance. Formal authorization of all major disbursements such as for claims and reinsurance premiums for this purpose represent an ongoing monitoring.

Choice “c” is incorrect. Ongoing monitoring of internal controls include such functions as authorization of major disbursements, reviews of large or unusual transactions and high level reviews of disaggregated information. Reviews of changes in liability reserves in excess of a specified threshold represent ongoing monitoring.

Choice “b” is incorrect. Ongoing monitoring of internal controls include such functions as authorization of major disbursements, reviews of large or unusual transactions and high level reviews of disaggregated information. Monthly reviews of disaggregated gross margin and operating margin data by line of coverage represents ongoing monitoring.

Question 22

The Sarbanes-Oxley Act of 2002 requires that the management report on internal control include all of the following, except:

a.

A conclusion about the effectiveness of the company’s internal controls.

b.

A statement that the auditor has attested and reported on management’s evaluation of internal controls.

c.

A statement that there are no disagreements between management and the auditor as to the effectiveness of internal controls.

d.

A statement of management’s responsibilities for establishing and maintaining adequate internal controls.

Answer 22

Choice “c” is correct. Financial statement disclosures include management’s assumption of responsibility for internal control, management’s assessment of internal control effectiveness and a statement that the auditor has reported on management’s evaluation. Management does not describe disagreements, if any, between management and the auditor.

Choices “d”, “a”, and “b” are incorrect, based on the above explanation

Question 23

Extra Edge Sporting Goods has set a strategic objective of being in the upper quartile of sporting goods retailers. The company identified a related objective of increasing its sales force by 50 new staff members while maintaining staff cost at .194 cents per sales dollar. Events identified by the management of Extra Edge that might interfere with achievement of their related objective would include all of the following, except:

a.

Job markets may heat up and cause fewer offers to be accepted for the expanded sales force.

b.

Inadequate needs assessments may result in bad staffing decisions.

c.

Job markets may slow down and result in more staff accepting positions than there are available positions.

d.

Product demand may fall if sporting goods become less popular.

Answer 23

Choice “d” is correct. Although product demand is a legitimate concern, the related objective is associated with staffing levels. The drop in product demand would not be an event identified regarding the objective of hiring staff within certain cost constraints.

Choice “a” is incorrect. An overheated job market that creates a reduced pool of job applicants is an event that would affect Extra Edge’s objective of adding 50 new staff members.

Choice “b” is incorrect. Inadequate needs assessments is an event that could impact the quality of the new staff added by Extra Edge and would impact the objective of adding 50 new staff members.

Choice “c” is incorrect. A sluggish job market is an event that could not only result in an abundance of staff but could also produce acceptance of more offers than there are available positions and would impact Extra Edge’s objective of adding 50 new staff members.

Question 24

In order to comply with a director’s duty of loyalty to a corporation, what action(s) should a director take when presented with a corporate opportunity?

a.

Accept the opportunity and not offer it to the corporation.

b.

Offer the opportunity to the corporation and accept it if the corporation rejects it.

c.

Accept the opportunity and disclose the acceptance to the corporation.

d.

Reject the opportunity and not offer it to the corporation.

Answer 24

Choice “b” is correct. The business law concept of “duty of loyalty” is a common ethical standard. The director’s duty of loyalty requires that the director offer opportunities presented in the market place first to the corporation and only accept them if the corporation rejects it. A land developer might sit on the board of a land development company. If presented with the opportunity to purchase a building or land at a significant discount, the developer would be obligated to offer the opportunity to the corporation first but would not be barred from taking advantage of the opportunity if the corporation had no interest.

Choice “d” is incorrect. The duty of loyalty does not require that a director ignore an opportunity by personally rejecting it and not offering it to the corporation.

Choice “a” is incorrect. A director’s duty of loyalty requires both disclosure and offering the opportunity to the director’s corporation before accepting the opportunity.

Choice “c” is incorrect. A director’s duty of loyalty requires both disclosure and offering the opportunity to the director’s corporation before accepting the opportunity.

Question 25

Management has carefully evaluated the likelihood and impact of events on its foreign operations. In the event of a 3% variation in exchange rate, the impact is estimated at $10 million without any action taken by management and $4 million if the company purchases a hedge instrument. The impact of the inherent risk of changes in foreign currency exchange on achieving company’s business objectives is:

a.

$ 4 million.

b.

$ 6 million.

c.

$14 million.

d.

$10 million.

Answer 25

Choice “d” is correct. Inherent risk is the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact. The $10 million exposure identified in the problem is the risk exposure without management’s intervention.

Choice “c” is incorrect. The inherent risk is not the sum of the inherent risk of $10 million and the residual risk of $4 million.

Choice “b” is incorrect. The inherent risk is not the difference between the inherent risk of $10 million and the residual risk of $4 million.

Choice “a” is incorrect. The $4 million risk exposure, after management purchases the hedge, is the residual risk. Residual risk is the risk that remains after management responds to the risk.

Question 26

Able Corporation owns numerous businesses along the coast of Florida. The company’s management has identified business interruption events as a potential risk resulting from storm damages caused by hurricanes. The company elects to balance its portfolio of risk with property investments on the coast of other states and in Florida’s interior. Able’s response to potential risks is known as:

a.

Sharing.

b.

Avoidance.

c.

Acceptance.

d.

Reduction.

Answer 26

Choice “d” is correct. A response to risk that involves the diversification of product offerings rather than elimination of product offerings is called reduction.

Choice “b” is incorrect. A response to risk that involves the disposal of a business unit, product line or geographical segment is called risk avoidance. Adjustments to the portfolio do not represent avoidance.

Choice “a” is incorrect. Insuring against losses or entering into joint ventures to address risk is known as risk sharing. Adjustments to the portfolio do not represent sharing.

Choice “c” is incorrect. Self insuring or simply tolerating the full exposure to risk is known as acceptance. Adjustments to the portfolio do not represent acceptance.

Question 27

The Carlton Corporation publishes an Employee Handbook that contains employee responsibilities for moral behavior including a code of conduct. Each year, employees must acknowledge their receipt of the handbook, their understanding of the code, and if they have any awareness of non-compliance within the company. The policies would indicate:

a.

Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting.

b.

Management’s philosophy and operating style support achieving effective internal control over financial reporting.

c.

Human resources practices are designed and implemented to facilitate effective internal control over financial reporting.

d.

Sound integrity and ethical values are developed and understood and set the standard of conduct for financial reporting.

Answer 27

Choice “d” is correct. The existence of a published code of ethics and a periodic acknowledgment that ethical values are understood is evidence of development of ethical values and ensuring that those values are understood and taken seriously.

Choice “c” is incorrect. Human resources standards generally relate to hiring practices and appropriate placement of individuals within the organization based on job descriptions, rather than the specifics of ethical behavior.

Choice “b” is incorrect. Management’s operating style relates more to work ethic and commitment to effective financial reporting than the specifics of ethical behavior.

Choice “a” is incorrect. Appropriate delegation relates to the organization’s assignment of duties rather than to the specifics of ethical behavior.

Question 28

Which of the following is not a goal of an Enterprise Risk Management Framework (ERM)?

a.

Achieve financial and performance targets.

b.

Avoid adverse publicity and damage to the entity’s reputation.

c.

Provide reasonable assurance that company objectives and goals are achieved and problems and surprises are minimized.

d.

Assess risks continuously and identify the steps to take and resources to allocate to overcome or mitigate risk.

Answer 28

Choice “b” is correct. Avoiding adverse publicity and damage to the entity’s reputation is a public relations function, not a function of ERM.

Choice “c” is incorrect. ERM focuses on numerous goals including providing reasonable assurances that objectives and goals are achieved.

Choice “a” is incorrect. ERM focuses on numerous goals including achievement of financial and performance targets.

Choice “d” is incorrect. ERM focuses on numerous goals including risk assessment and mitigation.

Question 29

According to COSO, an effective approach to monitoring internal control involves each of the following steps,except:

a.

Increasing the reliability of financial reporting and compliance with applicable laws and regulations.

b.

Designing and executing monitoring procedures that are prioritized based on risks to achieve organizational objectives.

c.

Establishing a foundation for monitoring.

d.

Assessing and reporting the results, including following up on corrective action where necessary.

Answer 29

Choice “a” is correct. Increasing the reliability of financial reporting and compliance with applicable laws and regulations is an approach to promoting a management philosophy and style that is congruent with effective financial reporting and control, not monitoring. Monitoring internal control may involve establishing a foundation for monitoring, prioritization of monitoring procedures based on risk to achieve organizational objectives, and assessing reporting results and following up as appropriate with corrective actions.

Choice “c” is incorrect. Embracing the attributes of the monitoring principle including establishing a foundation for monitoring is an effective approach to monitoring.

Choice “b” is incorrect. Designing procedures that are prioritized based on risks to achieving organization objectives is an effective approach to monitoring. Management might consider, for example, developing a list of control weaknesses that would seriously, rather than immaterially, threaten the reliability of financial reporting to establish standards for immediate reporting.

Choice “d” is incorrect. Assessing and reporting results, including following up on corrective actions, is an effective approach to monitoring. Management might consider, for example, establishing procedures that require reporting all deficiencies to a responsible manager.

Question 30

Davis, a director of Active Corp., is entitled to:

a.

Rely on information provided by a corporate officer.

b.

Serve on the board of a competing business.

c.

Take sole advantage of a business opportunity that would benefit Active.

d.

Unilaterally grant a corporate loan to one of Active’s shareholders.

Answer 30

Choice “a” is correct. As a director of the corporation Davis may rely on information provided to him/her by a corporate officer. A corporate director is under no obligation to verify information given to him by management (corporate officers).

Choice “b” is incorrect. A director is not entitled to serve on the board of a competing business. Doing so would be a breach of fiduciary duty.

Choice “c” is incorrect. A director may not take sole advantage of a business opportunity that would benefit the corporation. Doing so would be a breach of fiduciary duty.

Choice “d” is incorrect. A director may not unilaterally grant a corporate loan to one of the corporation’s shareholders. Directors generally must act through a majority vote at a directors’ meeting.

Question 31

Management of a company has a lack of segregation of duties within the application environment, with programmers having access to development and production. The programmers have the ability to implement application code changes into production without monitoring or a quality assurance function. This is considered a deficiency in which of the following areas?

a.

Data integrity.

b.

Computer operations.

c.

Management override.

d.

Change control.

Answer 31

Choice “d” is correct. Programmer access to development and production represents flawed segregation of duties that creates deficiencies for change control. Change control considers the manner in which management monitors and authorizes changes to a variety of information technology matters including software applications programs. Only authorized individuals should be allowed to move changes into production and the function of making the change should be segregated from the function of putting the change into production. Programmers with access to both programming instructions and live data undermine management’s control of data and their ability to verify that all changes have been performed in a manner consistent with their instructions.

Choice “c” is incorrect. Management override is a control weakness in which managers ignore or circumvent controls. Programmers are typically not management.

Choice “a” is incorrect. Data integrity requires that information be accurate and complete. The poor segregation of duties associated with programmer access to production may not impact the completeness or even the accuracy of data.

Choice “b” is incorrect. Computer operations would not necessarily be compromised as a result of programmer access to live data. The computer operations would continue to efficiently generate results only with potentially flawed instructions as a result of compromised change control.

Question 32

Control activities are most closely related to:

a.

Risk assessments.

b.

Inherent risks.

c.

Residual risks.

d.

Risk responses.

Answer 32

Choice “d” is correct. Control activities are the methods used to implement the response to risk. Sometimes the control activity is also, effectively, the risk response.

Choice “a” is incorrect. Risk assessments involve the determination of the likelihood and impact of events on the achievement of objectives.

Choice “b” is incorrect. Inherent risk is the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact. Risk responses are developed to deal with inherent risk.

Choice “c” is incorrect. Residual risk is the risk that remains after management responds to the risk. The residual risk still remains after the response to the risk and the control activities are in place.

Question 33

Dollar Bus Company has set an objective to fully comply with published bus schedules to ensure consistent on-time service. The company knows that shorter routes per bus minimize delays caused by unforeseen issues. Shorter routes require a greater investment in the fleet. The company currently achieves an 83% compliance rate with the schedule and does not expect a significant increase or decrease in ridership or revenue as compliance improves to 100% but does see revenues fall off significantly when buses are late more that 20% of time. The company’s objective setting would logically develop as follows:

a.

Tolerable levels of variation from compliance with stated bus schedules are established as a means of establishing realistic compliance objectives.

b.

Compliance with the bus schedule would be reviewed in relation to the risk of lost ridership within tolerable compliance percentages above 80%.

c.

Compliance rates of 80% would become the objective and additional investments in buses would be required to reduce risk.

d.

Additional busses would be acquired to achieve the objective and incentives would be provided to drivers who consistently meet requirements.

Answer 33

Choice “b” is correct. Objectives are aligned with risk appetite, which drives risk tolerance levels.

Choice “d” is incorrect. Acquisition of additional busses is a response to risks and would not be part of objective setting. Objective setting precedes risk assessments which precede risk responses.

Choice “a” is incorrect. Tolerable limits would not be used to back into objectives.

Choice “c” is incorrect. Risk responses (purchase of buses) would not be derived from objectives.

Question 34

A company that routinely performs background checks on its employees to ensure that there is no criminal history is applying the ideas from which principle of effective internal control over financial reporting?

a.

Management’s philosophy and operating style.

b.

Financial reporting competencies.

c.

Integrity and ethical values.

d.

Human resources.

Answer 34

Choice “d” is correct. The human resources principle says that human resources policies and procedures should be fully compatible with effective financial reporting and internal control. Background checks are evidence of the organization’s commitment to hire new employees only after they have been thoroughly vetted and shown to be compatible with organizational commitments to competence, ethics, etc.

Choice “a” is incorrect. The management philosophy and operating style principle says that management’s philosophy and operating style should be congruent with effective financial reporting and internal control. Management’s philosophy is demonstrated by internal practices that emphasize work ethic and documentation and are evidenced by background checks.

Choice “c” is incorrect. The integrity and ethical values principle says that high standards of integrity and ethical conduct should be adopted by top management and demonstrated throughout the entire organization. Background checks on new employees do not support this principle.

Choice “b” is incorrect. The financial reporting competencies principle says that companies should retain qualified personnel to handle financial reporting. Financial reporting competencies represent the establishment of standards rather than the verification of standards (e.g., a background check).

Question 35

The Treadway Commission was established to study factors that lead to fraudulent financial reporting. The Treadway Commission was established by:

a.

Securities and Exchange Commission.

b.

Private sponsoring organizations.

c.

Treadway Foundation.

d.

Sarbanes-Oxley Act of 2002.

Answer 35

Choice “b” is correct. The Committee on Sponsoring Organizations (COSO), an independent private sector initiative, was initially established in the mid 1980’s to study the factors that can lead to fraudulent financial reporting. The COSO is sometimes referred to as the Treadway Commission after its original Chairman, James Treadway, Jr., an executive in the private sector. The private “sponsoring organizations” included the five major financial professional associations in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Financial Executives Institute (FEI), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA).

Choices “d”, “a”, and “c” are incorrect, based on the above explanation.

Question 36

Strategic objectives for the mission and vision of the organization are generally linked to related objectives. All of the following objectives are typically regarded as related objectives, except:

a.

Reporting objectives.

b.

Information technology objectives.

c.

Compliance objectives.

d.

Operations objectives.

Answer 36

Choice “b” is correct. Objectives related to strategy are typically operations and reporting and compliance objectives. Information technology objectives may be a subset of one of these objectives, but is typically not a separate category.

Choice “d” is incorrect. Objectives related to strategy are typically operations and reporting and compliance objectives. Operations are a related objective.

Choice “a” is incorrect. Objectives related to strategy are typically operations and reporting and compliance objectives. Reporting is a related objective.

Choice “c” is incorrect. Objectives related to strategy are typically operations and reporting and compliance objectives. Compliance is a related objective.

Question 37

A not-for-profit organization periodically conducts focus groups of employees, service beneficiaries and governance board members to reevaluate its mission vision and values to determine the accuracy of the strategic statements to refine them where necessary. This activity relates to which component of internal control?

a.

Control activities.

b.

Information and communication.

c.

Risk assessment.

d.

Monitoring.

Answer 37

Choice “d” is correct. Periodically comparing and updating the mission vision and values of a not-for-profit could best be classified as a monitoring activity.

Choice “a” is incorrect. Control activities are typically those procedures that implement rather than monitor controls.

Choice “c” is incorrect. Risk assessment components of internal control programs relate to periodic evaluations of what could go wrong and the effectiveness of procedures to prevent or detect errors or irregularities.

Choice “b” is incorrect. Information and communication components of internal control relate to the periodic reporting on the effectiveness of controls.

Question 38

The Sarbanes-Oxley Act of 2002 seeks to improve investor confidence by providing greater transparency for all of the following issues, except:

a.

Competency of audit committees.

b.

Means and methods for balancing risk and growth.

c.

Adequacy of internal controls.

d.

Compliance of senior officers with a code of ethics.

Answer 38

Choice “b” is correct. The issues surrounding risk and growth are significant to investors and generally addressed by enterprise risk management concepts; however, the Sarbanes-Oxley Act focuses less on strategic operations and more on the financial reporting issues impacted by the audit committee’s competence, the ethical behavior of senior officers and the adequacy of internal controls.

Choices “a”, “d”, and “c” are incorrect. The Sarbanes-Oxley Act focuses on the financial reporting issues impacted by the audit committee’s competence, the ethical behavior of the financial officers and the adequacy of internal controls as a means of improving investor confidence. Competency of audit committees, compliance of senior officers with a code of ethics, and adequacy of internal controls are all issues addressed by Sarbanes Oxley.

Question 39

The criteria for evaluating the effectiveness of enterprise risk management are:

a.

The principles supporting the components of the internal control integrated framework.

b.

The components of the internal control integrated framework.

c.

The key elements supporting the components of the enterprise risk management framework.

d.

The components of the enterprise risk management framework.

Answer 39

Choice “d” is correct. The components of the enterprise risk management framework are the criteria used to evaluate its effectiveness.

Choice “b” is incorrect. The enterprise risk management framework embraces many of the concepts and objectives of the internal control framework, but they are not the criteria used to evaluate its effectiveness.

Choice “a” is incorrect. The enterprise risk management framework embraces many of the concepts and objectives of the internal control framework, but they are not the criteria used to evaluate its effectiveness.

Choice “c” is incorrect. The enterprise risk management framework embraces all of the key elements supporting enterprise risk management components, but they are not the criteria used to evaluate its effectiveness.

Question 40

As a matter of policy, all correspondence to or from regulatory auditors received by the management of the Barclay Corporation is provided to the Barclay Corporation audit committee and the corporation’s full board as needed. In assessing entity wide controls, management might conclude:

a.

The company’s organization structure supports effective internal control over financial reporting.

b.

Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting.

c.

The Board of Directors understands and exercises oversight responsibility related to financial reporting and related internal control.

d.

Management’s philosophy and operating style support achieving effective internal control over financial reporting.

Answer 40

Choice “c” is correct. Active engagement by an audit committee in representing the Board of Directors relative to all matters of internal and external audits is evidence of the board’s understanding of their oversight responsibility over financial reporting.

Choice “d” is incorrect. Management’s operating style typically relates to the manner in which employees regard the importance of internal controls. Qualified personnel actively engaged in ensuring effective financial reporting relate to management’s operating style.

Choice “a” is incorrect. The organizational structure principle typically involves the appropriate alignment of reporting relationships to ensure that controls are not undermined (e.g., internal auditors should not report to the CFO).

Choice “b” is incorrect. The authority and responsibility principle is typically related to defining staff responsibilities in a manner that is compatible with their authority and consistent with effective financial reporting.

Question 41

Company management completes event identification and analyzes the risks. The company wishes to assess its risk after management’s response to the risk. According to COSO, which of the following types of risk does this situation represent?

a.

Event risk.

b.

Residual risk.

c.

Inherent risk.

d.

Detection risk.

Answer 41

Choice “b” is correct. Residual risk is defined as the risk that an organization incurs after management takes whatever actions are needed to mitigate the adverse impact of a given event.

Choice “c” is incorrect. There is no indication in the facts of the question that this director failed to use prudent business judgment.

Choice “a” is incorrect. Event risk is the risk that an unexpected (and infrequent) event will occur that will have an adverse impact on an organization.

Choice “d” is incorrect. Detection risk is the risk that the procedures established by an auditor to detect material misstatements in a company’s financial statements will fail to detect a material misstatement.

Question 42

The primary benefit of having a financial expert on a company’s audit committee is:

a.

The enhanced level of financial sophistication of the financial expert can serve as a resource for the audit committee.

b.

The financial expert checks the auditor’s work and verifies the appropriateness of the audit opinion.

c.

The expert designation conveys a higher level of due diligence on the expert and shields audit committee members and the corporation from most liabilities.

d.

The financial expert certifies compliance with SEC requirements and thereby reduces audit fees.

Answer 42

Choice “a” is correct. The benefits of a financial expert on the audit committee relate to the expertise that the board can bring to its oversight function.

Choice “b” is incorrect. The audit committee provides oversight of the annual audit; however, the audit committee and its financial expert do not verify the auditor’s work.

Choice “c” is incorrect. The term “expert” within the context of the Sarbanes-Oxley Act does not convey the same requirements as SEC regulations and does not convey either a higher level of due diligence or provide insulation to other board members. The Act is silent as to the meaning of expert outside of the qualifications to be deemed an expert.

Choice “d” is incorrect. The financial expert does not certify compliance with SEC regulations.

Question 43

According to the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which of the following components of enterprise risk management addresses an entity’s assignment of authority and responsibility?

a.

Internal environment.

b.

Information and communication.

c.

Monitoring.

d.

Control activities.

Answer 43

Choice “a” is correct. The internal environment component of the enterprise risk management (ERM) framework includes foundational elements such as organizational structure, assignment of authority and responsibility, integrity and ethical values, risk management philosophy, commitment to competence and human resource standards, and similar issues that influence the tone of the organization.

Choice “d” is incorrect. The control activities component of the ERM framework includes key elements that relate to the policies and procedures that ensure appropriate responses to identified risks, not to the assignment of authority and responsibility.

Choice “b” is incorrect. The information and communication component of the ERM framework includes key elements that relate to the identification, capture and communication of information, not to the assignment of authority and responsibility.

Choice “c” is incorrect. The monitoring component of the enterprise risk management framework includes key elements that relate to the ongoing management activities or separate evaluations of the ERM approach adopted by the entity, not to the assignment of authority and responsibility.

Question 44

A member of the board of directors of Central Communications Co. is offered a license by a third party to operate a cellular phone system. The director does not present this offer to the board of directors for approval but informally mentions it to a fellow board member, who does not think it will be a problem. The director buys the license. Which of the following statements is correct regarding the director’s actions?

a.

The director breached a duty of loyalty by usurping a corporate opportunity.

b.

The director breached the duty of due diligence.

c.

The director acted properly in purchasing the license.

d.

The director breached a duty of care by failing to use prudent business judgment.

Answer 44

Choice “a” is correct. Under the corporate opportunity doctrine, a director presented with a business opportunity that may be of interest to his/her corporation is prohibited through the duty of loyalty from taking the opportunity without first presenting it to the corporation. Only after the corporation is presented formally with the opportunity and decides not to take it can the director move forward. An informal discussion with a fellow board member is insufficient.

Choice “d” is incorrect. There is no indication in the facts of the question that this director failed to use prudent business judgment.

Choice “b” is incorrect. There is no indication in the facts of the question that this director breached the duty of due diligence.

Choice “c” is incorrect. The director did not act properly in purchasing the license because he/she needed to first present this opportunity formally to the board before moving forward with the license purchase.

Question 45

Barker Healthcare Corporation’s management is developing their risk assessment as they review plans to expand their nursing home chain into various states in the southeast. The management team has consulted published industry sources to evaluate both population trends and affluence in the region as a means of evaluating both demand, the ability to pay and the risk that populations may either not seek healthcare or may not be able to afford it. Barker’s listing of risks from industry sources is a technique for risk assessment known as a(n):

a.

Event Inventory.

b.

Facilitated workshop.

c.

Questionnaire/Survey.

d.

Process Flow Analysis.

Answer 45

Choice “a” is correct. When management uses listings of potential events common to a specific industry as a means of identifying risks or opportunities, the method is known as event inventory.

Choice “b” is incorrect. Gathering management together to discuss or even brainstorm ideas in a structured manner is a facilitated workshop. Common industry lists or inventories are not techniques associated with facilitated workshops.

Choice “c” is incorrect. Sending out questionnaires to affected parties requesting opinions on potential events is the questionnaire/survey approach. Common industry lists or inventories are not questionnaires or surveys.

Choice “d” is incorrect. A flow chart of activities used to identify potential risks is a process flow analysis. Common industry lists or inventories are not part of the process flow analysis.

Question 46

Able Corporation owns numerous businesses along the coast of Florida. The company’s management has identified business interruption events as a potential risk resulting from storm damages caused by hurricanes. Management is so fearful of the possibility of storm damage that they elect to divest the company of virtually all properties on the Florida coast. Able’s response to potential risks is known as:

a.

Avoidance.

b.

Acceptance.

c.

Reduction.

d.

Sharing.

Answer 46

Choice “a” is correct. A response to risk that involves the disposal of a business unit, product line, or geographical segment is called risk avoidance. When Able sells all of its businesses in Florida, the company eliminates its exposure to named storms that hit Florida.

Choice “c” is incorrect. A response to risk that involves the diversification of product offerings rather than the elimination of product offerings is called reduction. Leaving the state is avoidance, not reduction.

Choice “d” is incorrect. Insuring against losses or entering into joint ventures to address risk is known as risk sharing. Leaving the state is avoidance, not sharing.

Choice “b” is incorrect. Self insuring or simply tolerating full exposure to risk is known as acceptance. Leaving the state is not acceptance of risk.

Question 47

The Knight Corporation completed its annual retreat of board members and senior management and produced a document that links the organization’s mission and vision with strategic and related objectives. The document includes an objective that the Knight Corporation will rank in the top quartile of quality for its industry. That objective would most likely be a:

a.

Strategic objective.

b.

Related reporting objective.

c.

Related compliance objective.

d.

Related operations objective.

Answer 47

Choice “a” is correct. Broad, company-wide objectives, such as coordinating company-wide resources to produce a service in the top quartile of quality, are strategic, not related.

Choices “d”, “b”, and “c” are incorrect. Related objectives tend to be more specific than the strategic objective and are prepared in support of the broader strategic objective.

Question 48

Management has carefully evaluated the likelihood and impact of events on its foreign operations. In the event of a 3% variation in exchange rate, the impact is estimated at $10 million without any action taken by management and $4 million if the company purchases a hedge instrument. The impact of the residual risk of changes in foreign currency exchange on achieving company’s business objectives is:

a.

$14 million.

b.

$10 million.

c.

$ 6 million.

d.

$ 4 million.

Answer 48

Choice “d” is correct. The $4 million risk exposure, after management purchases the hedge, is the residual risk. Residual risk is the risk that remains after management responds to the risk.

Choice “a” is incorrect. The inherent risk is not the sum of the inherent risk of $10 million and the residual risk of $4 million.

Choice “b” is incorrect. Inherent risk is the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact. The $10 million exposure identified in the problem is the risk exposure without management’s intervention.

Choice “c” is incorrect. The inherent risk is not the difference between the inherent risk of $10 million and the residual risk of $4 million.

Question 49

The Enterprise Risk Management Integrated Framework states that an organization must identify events, both positive and negative, as part of its risk management program. Which of the following is true with regard to events?

a.

Event identification occurs prior to development of objectives.

b.

Enterprise risk management is entirely focused on risks and ignores opportunities.

c.

Events serve as the basis for establishing objectives and thus occur simultaneously with development of objectives.

d.

Event identification occurs after the development of objectives.

Answer 49

Choice “d” is correct. Events can only be identified after the organizational objectives are identified. Events will either favorably or unfavorably impact the achievement of objectives. Risks (negative events) are only identifiable within the context of the objectives that they might impede.

Choice “b” is incorrect. Enterprise risk management considers both positive events (opportunities) and negative events (risks).

Choice “a” is incorrect. Events can only be identified after the organizational objectives are identified. Events will either favorably or unfavorably impact the achievement of objectives.

Choice “c” is incorrect. Events are not the basis for establishing objectives. Events can only be identified after the organizational objectives are identified.

Question 50

The Sarbanes-Oxley Act of 2002 was enacted in response to corporate scandals that largely centered on the quality of corporate financial disclosure and highlighted the inadequate oversight of management, auditors and the Board of Directors. The Sarbanes-Oxley Act addresses the problems related to inadequate board oversight by requiring public companies to have an:

a.

Audit committee.

b.

Independent Board of Directors.

c.

Internal auditor.

d.

Annual audit for all issuers.

Answer 50

Choice “a” is correct. Public companies are required to establish an audit committee that is directly responsible for the appointment, compensation and oversight of the work of the public accounting firm employed by that public company. The separation of audit supervision from the Board of Directors addresses the problem of inadequate board oversight.

Choice “d” is incorrect. An annual audit provides meaningful information about financial reporting but it does not address the issue of board oversight.

Choice “b” is incorrect. The independence of the Board of Directors may provide some assurance about the objectivity of the board but does not address the issue of board oversight.

Choice “c” is incorrect. An internal audit function improves the control environment but it does not engage the Board of Directors in oversight.

Question 51

The Glassman Company completed its annual retreat of board members and senior management and produced a document that links the organization’s mission and vision with strategic and related objectives. The document includes a commitment to establish an ethics hotline and assign a corporate officer to conduct ethics training and monitor reports through the hotline. That commitment would most likely be a:

a.

Related compliance objective.

b.

Related operations objective.

c.

Strategic objective.

d.

Related reporting objective.

Answer 51

Choice “a” is correct. Establishment of an ethics hotline and related corporate training would most likely be a related compliance objective. Ethics training is sometimes referred to as corporate compliance training. Operational implementation of this character is generally a related objective rather than a strategic objective.

Choice “c” is incorrect. Strategic objectives are generally less operationally specific than the related objective contemplated by the ethics program.

Choice “b” is incorrect. An ethics program is a related compliance objective, not an operations objective.

Choice “d” is incorrect. An ethics program is a related compliance objective, not a reporting objective.

Question 52

A company implements an enterprise resource planning application to help improve its financial and operational reporting, while gaining other efficiencies related to sales and inventory management. For the implementation, the company hires an individual specializing in preparing the company for the changes through documenting new policies and procedures and developing new training. This is an example of:

a.

A social event.

b.

Change management.

c.

Segregation of duties.

d.

An economic event.

Answer 52

Choice “b” is correct. A situation where a company implements new technology and hires an individual to help document new policies and procedures and develop training is an example of change management. Typically, these individuals are outside consultants who specialize in specific aspects of change management and can provide expertise to companies going through significant changes, such as new system implementations.

Choice “a” is incorrect. A company implementing new technology and hiring an outside specialist to assist in the process is not an example of a social event.

Choice “c” is incorrect. Segregation of duties is a means of reducing risk by applying internal controls, such that no one individual performs too many functions within a process.

Choice “d” is incorrect. Hiring a specialist to assist a company with an application implementation is a part of the change management process. Although engaging the services of a consultant in change management may be an economic event of the company that is accounted for in the financial records, it is not the best answer for this question.

Question 53

Which of the following items is one of the eight components of COSO’s enterprise risk management framework?

a.

Reporting.

b.

Monitoring.

c.

Compliance.

d.

Operations.

Answer 53

Choice “b” is correct. Monitoring is one of the eight components of COSO’s enterprise risk management (ERM) framework. The eight components of the ERM framework are summarized as follows in the mnemonicIS EAR AIM:

Internal environment

Setting objectives

Event identification

Assessment of risk

Risk response

Activities (control)

Information and communication

Monitoring

Choice “d” is incorrect. Operations are not one of the eight components of the COSO’s ERM framework identified by the mnemonic IS EAR AIM as shown above.

Choice “a” is incorrect. Reporting is not one of the eight components of the COSO’s ERM framework identified by the mnemonic IS EAR AIM as shown above.

Choice “c” is incorrect. Compliance is not one of the eight components of the COSO’s ERM framework identified by the mnemonic IS EAR AIM as shown above.

Question 54

According to the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which of the following components of the internal control integrated framework addresses an entity’s timely reporting of identified internal control deficiencies?

a.

Information and communication.

b.

Monitoring.

c.

Control environment.

d.

Control activities.

Answer 54

Choice “b” is correct. The monitoring component of the integrated framework includes the principle that deficiencies should be investigated in ongoing and separate evaluations and that deficiencies should be reported.

Choice “c” is incorrect. The control environment component includes the tone at the top and the listing of reporting deficiencies.

Choice “d” is incorrect. The control activities component relates to control policies and procedures but does not include reporting deficiencies.

Choice “a” is incorrect. The information and communication component includes gathering and communicating financial and internal control information, but does not specifically address reporting deficiencies.

Question 55

Corbin Corporation is evaluating the sample sizes associated with periodic tests of the existence of a fleet of taxis. Cash receipts associated with fares deposited daily are periodically reconciled to both the fares charged and the taxi’s odometer readings. With respect to monitoring controls over cash vs. vehicles, Corbin will likely:

a.

Review fixed assets on an ongoing basis and cash on a less frequent periodic basis.

b.

Review cash and fixed assets on an ongoing basis.

c.

Review cash and fixed assets on a periodic basis, not on a daily basis.

d.

Review cash on an ongoing basis and fixed assets on a less frequent periodic basis.

Answer 55

Choice “d” is correct. The monitoring of internal control effectiveness is performed based on the significance of the risk being controlled. Cash has more risk than vehicles and thus needs to be monitored more frequently.

Choice “b” is incorrect. Controls related to vehicles (fixed assets) are not likely to need the same ongoing attention that cash requires.

Choices “a” and “c” are incorrect, based on the above explanation.

Question 56

Each of the following is a limitation of enterprise risk management (ERM), except:

a.

ERM operates at different levels with respect to different objectives.

b.

ERM can provide absolute assurance with respect to objective categories.

c.

ERM deals with risk, which relates to the future and is inherently uncertain.

d.

ERM is as effective as the people responsible for its functioning.

Answer 56

Choice “b” is correct. ERM provides a framework in which to manage risk within an organization’s risk appetite to provide reasonable assurance regarding the achievement of entity objectives. The assertion that ERM can provide absolute assurance with respect to objective categories is not true but, if it were, it would represent a strength and not a weakness.

Choice “c” is incorrect. ERM provides a framework in which to manage risk within an organization’s risk appetite to provide reasonable assurance regarding the achievement of entity objectives. The uncertainty of future events or risks addressed by ERM potentially limits the effectiveness of the framework.

Choice “a” is incorrect. ERM provides a framework in which to manage risk within an organization’s risk appetite to provide reasonable assurance regarding the achievement of entity objectives. The complexity of ERM can limit its effectiveness. ERM components are applied to each objective from the entity through the subsidiary level.

Choice “d” is incorrect. ERM provides a framework in which to manage risk within an organization’s risk appetite to provide reasonable assurance regarding the achievement of entity objectives. Like any control mechanism, the effectiveness of the framework is limited by the capabilities of the individuals responsible for implementation.

Question 57

Within the COSO Internal Control—Integrated Framework, which of the following components is designed to ensure that internal controls continue to operate effectively?

a.

Control environment.

b.

Information and communication.

c.

Monitoring.

d.

Risk assessment.

Answer 57

Choice “c” is correct. The monitoring component or function of the internal control framework is designed to ensure that internal controls continue to operate effectively. Monitoring of internal control effectiveness is done to provide an assessment of the performance of the system of internal control over time. Monitoring is designed to ensure that internal controls operate effectively.

Choice “a” is incorrect. The control environment is sometimes referred to as the “tone at the top.” The control environment is the framework upon which all other principles are built. It is not as specifically designed to ensure that internal controls continue to operate effectively as is monitoring.

Choice “d” is incorrect. The risk assessment component of the COSO framework includes principles associated with management’s consideration of the risk of material misstatement, not the assurance that internal controls continue to operate effectively.

Choice “b” is incorrect. The information and communication components of the COSO framework consider those systems that identify, capture, process, and distribute information supporting the accomplishment of financial reporting objectives, not the assurance that internal controls operate effectively.

Question 58

According to COSO, which of the following components of enterprise risk management addresses an entity’s integrity and ethical values?

a.

Internal environment.

b.

Control activities.

c.

Risk assessment.

d.

Information and communication.

Answer 58

Choice “a” is correct. Integrity and ethical values are addressed in the Internal Environment component of the Committee on Sponsoring Organizations Enterprise Risk Management Integrated Framework. Other elements of internal environment include risk management philosophy, risk appetite, organizational structure, assignment of authority and responsibility, and human resources standards.

Choice “d” is incorrect. The information and communication component of the Committee on Sponsoring Organizations Enterprise Risk Management Integrated Framework includes information and communications standards, not ethical values.

Choice “c” is incorrect. The risk assessment component of the Committee on Sponsoring Organizations Enterprise Risk Management Integrated Framework includes the identification of inherent and residual risk, the evaluation of likelihood and impact of risk, and data sources. Ethical values are not a primary component of this area.

Choice “b” is incorrect. The control activities component of the Committee on Sponsoring Organizations Enterprise Risk Management Integrated Framework includes types of control activities, policies and procedures, and integration of control issues with risk responses. Ethical values are not a primary component of this area.

Question 59

Conflict of interest provisions of the Sarbanes-Oxley Act of 2002 generally prohibit the directors or executive officers of an issuer from:

a.

Owning more than 10% of any form of equity.

b.

Receiving a personal loan from the issuer not in the ordinary course of business.

c.

Receiving perquisite compensation.

d.

Owning more than 10% of common stock.

Answer 59

Choice “b” is correct. Issuers are generally prohibited from making personal loans to directors or executive officers under the Sarbanes-Oxley Act of 2002. Exceptions exist for loans made in the ordinary course of business.

Choice “d” is incorrect. Although there is no 10% cap on ownership, disclosures are required for persons who generally directly or indirectly own more than 10 percent of any class of most any equity security.

Choice “a” is incorrect. Although there is no 10% cap on ownership, disclosures are required for persons who generally directly or indirectly own more than 10 percent of any class of most any equity security.

Choice “c” is incorrect. There are no prohibitions on perquisite compensation but disclosures may be required

Question 60

The Daphne Corporation evaluates employees with responsibilities for financial reporting for fulfillment of those responsibilities for compensation and promotion purposes. The company’s policies support the idea that:

a.

Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting.

b.

Human resources practices should be designed to facilitate effective internal control over financial reporting.

c.

Management’s philosophy and operating style support achieving effective internal control over financial reporting.

d.

The company’s organizational structure supports effective internal control over financial reporting.

Answer 60

Choice “b” is correct. The regular evaluation of employees for their competence in financial reporting is an important link between human resources policies and the achievement of financial reporting objectives.

Choice “c” is incorrect. Management’s operating style relates more to work ethic and commitment to effective financial reporting than the recruitment, retention, and evaluation of employees.

Choice “a” is incorrect. Appropriate delegation relates to the organization’s assignment of duties rather than to the recruitment, retention, and evaluation of employees.

Choice “d” is incorrect. The organizational structure principle typically involves the appropriate alignment of reporting relationships to ensure that controls are not undermined (e.g., internal auditors should not report to the CFO) rather than to the recruitment, retention and evaluation of employees.

Question 61

According to COSO, the use of ongoing and separate evaluations to identify and address changes in internal control effectiveness can best be accomplished in which of the following stages of the monitoring-for-change continuum?

a.

Control baseline.

b.

Change identification.

c.

Change management.

d.

Control revalidation/update.

Answer 61

Choice “b” is correct. The COSO identifies four stages of the change continuum beginning with control baseline, followed by change identification and change management and concluding with control validation/ update. Change identification considers the risk assessment component of internal control and identifies changes in process or risk and verifies that the design of underlying controls remains effective. Monitoring through the use of ongoing and separate evaluations should consider the ability to identify and address changes in the change identification stage of the monitoring for change continuum.

Choice “a” is incorrect. Monitoring starts with a control baseline that supports the understanding of an internal control system’s design and whether controls have been implemented to accomplish internal control objectives. The base line is the starting point and does not address the methods of control monitoring.

Choice “c” is incorrect. Change management contemplates the establishment of a new control baseline in response to changes that either occur or are implemented in response to revised needs. Change management does not contemplate the selection of ongoing or separate evaluations.

Choice “d” is incorrect. Control revalidation and update contemplates confirmation of control effectiveness. Ongoing procedures routinely revalidate and create a continuous baseline while separate evaluations provide periodic revalidation. The revalidation verifies or challenges of the baseline. The use of ongoing or separate evaluations is determined, however, as part of change identification.

Question 62

According to the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, which of the following components of enterprise risk management addresses an entity’s reporting deficiencies?

a.

Event identification.

b.

Control activities.

c.

Monitoring.

d.

Internal environment.

Answer 62

Choice “c” is correct. The monitoring component of the enterprise risk management (ERM) framework includes key elements that relate to the ongoing management activities or separate evaluations of the ERM approach adopted by the entity, including addressing reporting deficiencies.

Choice “d” is incorrect. The internal environment component of the ERM framework includes key elements such as organizational structure, assignment of authority and responsibility, integrity and ethical values, risk management philosophy, commitment to competence and human resource standards and similar issues that influence the tone of the organization, not reporting deficiencies.

Choice “a” is incorrect. The event identification component of the ERM framework include key elements such as identifying the relevant events that may impact an organization and then determining whether the characteristics of the events are positive (opportunities) or negative (risks), not reporting deficiencies.

Choice “b” is incorrect. The control activities component of the ERM framework includes key elements that relate to the policies and procedures that ensure appropriate responses to identified risks including types of control activities and controls over information systems, not to reporting deficiencies.

Question 63

Each of the following statements is correct regarding the existence and implementation of codes of conduct,except:

a.

The codes of conduct are periodically acknowledged by all employees.

b.

The codes of conduct must be in writing and displayed in public areas, such as a break room.

c.

The codes of conduct are comprehensive, addressing conflicts of interest, illegal or other improper payments, anticompetitive guidelines, and insider trading.

d.

Employees understand what behavior is acceptable or unacceptable and know what to do if they encounter improper behavior.

Answer 63

Choice “b” is correct. A code of conduct should be in writing and available to employees who want to read it, but there is no requirement that it must be displayed in public areas.

Choice “d” is incorrect. A code of conduct should establish that certain behaviors are acceptable/unacceptable and should also provide guidance to employees as to how to handle situations where they encounter unacceptable behavior.

Choice “c” is incorrect. A code of conduct needs to be comprehensive, rather than just addressing one or two potential issues.

Choice “a” is incorrect. Employees should periodically review and acknowledge the code of conduct.

Question 64

For the components of Enterprise Risk Management to be functioning effectively, there cannot be:

a.

Extraordinary losses.

b.

Material weaknesses in internal control.

c.

Operating losses in the last three fiscal periods.

d.

Reliance on unconsolidated subsidiaries.

Answer 64

Choice “b” is correct. In order for the operating efficiencies contemplated by enterprise risk management to operate effectively, there cannot be material weaknesses in internal control.

Choices “c”, “d”, and “a” are incorrect. Enterprise risk management is associated with the identification and evaluation of risk and the balancing of those risks with profitability and growth objectives. Recent operating losses, reliance on unconsolidated subsidiaries, and extraordinary losses would not preclude the effective operation of enterprise risk management concepts.

Question 65

Able Corporation owns numerous businesses along the coast of Florida. The company’s management has identified business interruption events as a potential risk resulting from storm damages caused by hurricanes. The company elects to treat the potential damages from hurricanes as part of their business model. Able’s response to potential risks is known as:

a.

Reduction.

b.

Acceptance.

c.

Avoidance.

d.

Sharing.

Answer 65

Choice “b” is correct. Self insuring or simply tolerating the full exposure to risk is known as acceptance.

Choice “c” is incorrect. A response to risk that involves disposal of a business unit, product line or geographical segment is called risk avoidance. Accepting risk as part of a business model does not represent avoidance.

Choice “a” is incorrect. A response to risk that involves diversification of product offerings, rather than elimination of product offerings, is called reduction. Accepting risk as part of a business model does not represent reduction.

Choice “d” is incorrect. Insuring against losses or entering into joint ventures to address risk is known as risk sharing. Accepting risk as part of a business model does not represent sharing.

Question 66

The Sarbanes-Oxley Act of 2002 requires that one or more members of the audit committee be a financial expert and that the financial reports disclose:

a.

The name of the Board member(s) serving as financial expert(s).

b.

The existence of financial expert(s) on the audit committee or the reasons why the audit committee does not have a financial expert.

c.

Confirmation of the audit opinion by the financial expert.

d.

Certification of independence of the financial expert.

Answer 66

Choice “b” is correct. In the financial reports, the issuer must disclose the existence of financial expert(s) on the committee or the reasons why the committee does not have a financial expert.

Choice “a” is incorrect. Although the SEC proposed requirements that the name of the financial expert be disclosed, the Sarbanes-Oxley Act only requires that the existence of a financial expert(s) (or lack thereof) be disclosed.

Choice “c” is incorrect. The financial expert is not required to report on the audit opinion.

Choice “d” is incorrect. Although audit committee members are required to be independent and the SEC has proposed disclosure of independence, certification of independence is not required in financial reports under the Act.

Question 67

Arnold Astor, CPA, is a local tax practitioner who has been asked to sit on the Board of BigLarge Corporation, a multinational issuer. Astor has never had any involvement either as an employee or as an auditor with publically traded companies but does teach an accounting principles class at the community college. Under the provisions of Sarbanes-Oxley Act of 2002:

a.

Astor must petition the SEC for a waiver of prior experience requirements to be considered a financial expert.

b.

The audit committee would immediately certify Astor’s qualifications as a financial expert based on his CPA license and academic experience with GAAP and experience with internal control.

c.

The Board of Directors would likely evaluate Astor’s qualifications to serve on the audit committee and be designated as a financial expert based on mix of knowledge and experience.

d.

Astor qualifies as a financial expert based on achievement of a CPA certificate.

Answer 67

Choice “c” is correct. Qualification as a financial expert is a judgmental issue is typically made by the Board of Directors. The Sarbanes-Oxley Act is silent as to what group has the authority to designate an individual a financial expert but in practice, the board most often makes that decision. The Act provides some guidance but does not prescribe specific qualifications.

Choice “d” is incorrect. The Act provides some guidance but does not prescribe specific qualifications. The achievement of the CPA license generally does not qualify an individual as a financial expert.

Choice “a” is incorrect. The Act provides some guidance but does not prescribe specific qualifications. The idea of a petition to the SEC is a distracter.

Choice “b” is incorrect. The Act provides some guidance but does not prescribe specific qualifications. In addition, the audit committee would likely not regulate or evaluate the expertise of its own membership. The Board of Directors would likely make the decisions regarding the designation of financial experts.

Question 68

Auburndale Corporation has a corporate compliance program that allows employees the option of anonymously reporting violations of laws, rules, regulations, policies or other issues of abuse through a hotline. Reported issues are reviewed by the internal auditor and either immediately forwarded to the CEO or summarized and reported to the CEO each month. The program also provides opportunities to report through supervisory channels and includes a biannual training class that all employees must complete. The corporate compliance program demonstrates that:

a.

Management’s philosophy and operating style support achieving effective internal control over financial reporting.

b.

Management and employees are assigned appropriate levels of authority and responsibility to facilitate effective internal control over financial reporting.

c.

The Board of Directors understands and exercises oversight responsibility related to financial reporting and related internal control.

d.

Sound integrity and ethical values are developed and understood and set the standard of conduct for financial reporting.

Answer 68

Choice “d” is correct. The existence of a compliance program that includes both ethics training and a hotline for anonymous reporting is evidence of development of ethical values and ensuring that those values are understood and taken seriously.

Choice “c” is incorrect. Board oversight relates more to overall leadership than to the specifics of ethical behavior.

Choice “a” is incorrect. Management’s operating style relates more to work ethic and commitment to effective financial reporting rather than the specifics of ethical behavior.

Choice “b” is incorrect. Appropriate delegation relates to the organization’s assignment of duties rather than to the specifics of ethical behavior.

Question 69

Which of the following positions best describes the nature of the Board of Directors of XYZ Co.’s relationship to the company?

a.

Representative.

b.

Agent.

c.

Executive.

d.

Fiduciary.

Answer 69

Choice “d” is correct. The board of directors has a fiduciary responsibility to act on behalf of and in the best interest of the corporation.

Choice “b” is incorrect. The board of directors is not primarily charged with acting as an agent of the corporation. Employees, for example, act as agents.

Choice “c” is incorrect. The board of directors is not primarily charged with acting as an executive in fulfilling their fiduciary responsibility to the corporation. Officers, for example, act as executives.

Choice “a” is incorrect. The board of directors is not primarily charged with acting as representatives in fulfilling their fiduciary responsibility to the corporation. Corporate attorneys or employees, for example, fulfill the role of representative

Question 70

According to the Sarbanes-Oxley Act of 2002, a chief executive officer or chief financial officer who misrepresents the company’s finances may be penalized by being:

a.

Imprisoned, but not fined.

b.

Fined, but not imprisoned.

c.

Fined and imprisoned.

d.

Removed from the corporate office and fined.

Answer 70

Choice “c” is correct. An individual who knowingly executes or attempts to execute, securities fraud will be fined or imprisoned not more than 25 years or both.

Choice “b” is incorrect. The provisions of the Sarbanes-Oxley Act of 2002 provide for penalties for misrepresentation of company finance that may include both fines and penalties.

Choice “a” is incorrect. The provisions of the Sarbanes-Oxley Act of 2002 provide for penalties for misrepresentation of company finance that may include both penalties and fines.

Choice “d” is incorrect. The provisions of the Sarbanes-Oxley Act of 2002 provide for penalties for misrepresentation of company finance that may include both fines and penalties but do not carry provisions for removal from corporate office.

Question 71

A manufacturing firm identified that it would have difficulty sourcing raw materials locally, so it decided to relocate its production facilities. According to COSO, this decision represents which of the following responses to the risk?

a.

Risk acceptance.

b.

Prospect theory.

c.

Risk reduction.

d.

Risk sharing.

Answer 71

Choice “c” is correct. Relocation of production facilities to assure an uninterrupted supply chain (e.g., sourcing raw materials) is an example of risk reduction. The Committee of Sponsoring Organization’s (COSO) Enterprise Risk Management (ERM) framework identifies four methods of responding to risk, including avoidance, reduction, sharing and acceptance. The relocation of the plant reduces the risk of supply chain interruption. Risk avoidance techniques might involve discontinuing the product that uses the raw material altogether or replacing the raw material with a locally available product. Risk acceptance is typically associated with doing nothing. Risk sharing is often associated with purchasing insurance, however, in this instance, the company might chose to share risk by buying purchase options to ensure raw material availability from other sources or obtaining purchase commitments from local suppliers (with penalty clauses for nonperformance).

Choice “b” is incorrect. The COSO ERM framework identifies four methods of responding to risk including avoidance, reduction, sharing and acceptance. Prospect theory, which seeks to describe how people decide between alternatives that involve risk, is not described by the COSO as a risk management technique.

Choice “d” is incorrect. The COSO ERM framework identifies four methods of responding to risk including avoidance, reduction, sharing and acceptance. Risk sharing is often associated with purchasing insurance, however, in this instance, the company might chose to share risk by buying purchase options to ensure raw material availability from other sources or obtaining purchase commitments from local suppliers (with penalty clauses for nonperformance).

Choice “a” is incorrect The COSO ERM framework identifies four methods of responding to risk including avoidance, reduction, sharing and acceptance Risk acceptance is typically associated with doing nothing.

Question 72

The Committee on Sponsoring Organizations prepared the Internal Control Integrated Framework:

a.

As part of the Congressional task force known as the Treadway Commission.

b.

To help businesses assess internal control.

c.

To compliment the overarching concepts of the enterprise risk management framework.

d.

To respond to the internal control assessment requirements of the Sarbanes-Oxley Act of 2002.

Answer 72

Choice “b” is correct. In 1992, the Committee on Sponsoring Organizations (COSO) issued Internal Control – Integrated Framework (the Framework) to assist organizations in developing comprehensive assessments of internal control effectiveness. The Framework is widely regarded as an appropriate and comprehensive basis to document the assessment of internal controls over financial reporting.

Choice “d” is incorrect. The Framework was developed in 1992, ten years before the Sarbanes-Oxley Act of 2002.

Choice “a” is incorrect. The Treadway Commission was a private initiative and was not part of a congressional task force.

Choice “c” is incorrect. Although the internal control framework does complement the enterprise risk management framework, the internal control literature was prepared in 1992 while the enterprise risk management literature was developed in 2004. The internal control framework could not have been developed to complement the enterprise risk management framework.

Question 73

According to COSO, the position or internal entity that is best suited, as part of the enterprise risk management process, to devise and execute risk procedures for a particular department is:

a.

The chief executive officer.

b.

The internal audit department.

c.

A manager within the department.

d.

The audit committee.

Answer 73

Choice “c” is correct. The manager of a given department has a greater understanding of the risks and challenges associated with that department than would any other member of executive leadership. As such, the manager should be the individual tasked with devising and executing risk procedures for that department.

Choice “b” is incorrect. Internal audit is a central operation that is removed from any one individual department and would therefore not be in the best position to assess risk at a departmental level.

Choice “a” is incorrect. The CEO is not in a better position to devise/execute risk procedures for a department than the manager of that department.

Choice “d” is incorrect. The audit committee will manage the relationship with a company’s external auditor and resolve disputes between the auditor and management. They are not charged with devising and executing risk procedures for departments.